King Ouroboros
King Ouroboros is a ransomware that runs on Microsoft Windows. It was dicovered by Michael Gillespie. It is part of the CryptoWire and AutoTRON family. It is aimed at English-speaking users. Members of the group distributing this encryptor quite often reduce the ransom amount for those victims who ask for it, without having the indicated amount in the ransom note. In June 2018, the repurchase amount was reduced to as much as $ 30. On July 17th, 2018, the creator of King Ouroboros started venting to MalwareHunterTeam, Michael Gillespie, and Amigo-A after being called a scammer. Payload Transmission King Ouroboros is distributed as a Java Update Scheduler. Infection When executed, it will encrypt a computer and insert the king_ouroboros string into the encrypted file's name. For example, test.doc would be encrypted and renamed to test.king_ouroboros.doc. King Ouroboros will encrypt the following extensions: .3fr, .7z, .aaf, .abw, .accdb, .aep, .aepx, .aet, .afsnit, .ai, .aif, .amf, .arc, .arw, .as, .asc, .asd .asf, .ashdisc, .asm, .asp, .aspx, .asx, .au3, .aup, .avi, .bay, .bbb, .bdb, .bibtex, .bkf, .bmp, .bpn, btd, .bw, .bz2, .c, .cdi, .cdr, .cer, .cert, .cfm, .cgi, .cin, .cpio, .cpp, .cr2, .crt, .crw, .csg, .csr, .cue, .dbf, .dcr, .dds, .dem, .der, .dib, .dmg, .dng, .doc, .docm, .docx, .dpx, .dsb, .dwg, .dxf .dxg, .eddx, .edoc, .ei, .eml, .emlx, .eps, .eps, .epub, .erf, .exr, .fdf, .ffu, .flv, .gam, .gcode,. gho, .gpx, .gz, .h, .hbk, .hdd, .hdr, .hds, .himmel, .hpp, .icb, .icml, .ics, .idml, .iff, .img, .indb, .indd, .indl, .indt, .inx, .ipd, .iso, .isz, .iwa, .j2k, .jp2, .jpe, .jpeg, .jpf, .jpg, .jpm, .jpx, .jsp .jspa, .jspx, .jst, .kdc, .key, .keynote, .kml, .kmz, .lic, .lwp, .lzma, .m3u, .m4a, .m4v, .ma, .max,. mbox, .md2, .mdb, .mdbackup,.mddata, .mdf, .mdinfo, .mds, .mef, .metadata, .mid, .mos, .mov, .mp3, .mp4, .mpa, .mpb, .mpeg, .mpg, .mpj, .mpp, .mrw, .msg, .mso, .nba, .nbf, .nbi, .nbu, .nbz, .nco, .nef, .nes, .note, .nrg, .nri, .nrw, .odb, .odc .odm, .odp, .ods, .odt, .off, .ogg, .one, .orf, .ova, .ovf, .oxps, .p12, .p2i, .p65, .p7, .p7b,. p7c, .pages, .pct, .pcx, .pdd, .pdf, .pef, .pem, .pfx, .php, .php3, .php4, .php5, .phps, .phpx, .phpxx, .phtm, .phtml, .pic, .pl, .plist, .pmd, .pmx, .png, .ppdf, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prproj, .ps, .psd .pspimage, .pst, .ptx, .pub, .pvm, .qcn, .qcow, .qcow2, .qt, .r3d, .ra, .raf, .rar, .raw, .rgb, .rgbe,. rla, .rle, .rm, .rpf, .rtf, .rw2, .rwl, .s, .sbf, .set, .sgi, .skb, .slf, .sme, .smm, .snp, .spb, .sql, .sr2, .srf, .srt, .srw, .ssc, .ssi, .stg, .stl, .svg, .swf, .sxw, .syncdb, .tager, .tc, .tex, .tga .thm, .tib,.tif, .tiff, .til, .toast, .torrent, .txt, .vbk, .vcard, .vcd, .vcf, .vda, .vdi, .vfs4, .vhd, .vhdx, .vmdk, .vob, .vsdx, .vst, .wav, .wb2, .wbk, .wbverify, .webm, .wmb, .wpb, .wpd, .wps, .x3f, .xdw, .xlk, .xlr, .xls, .xlsb , .xlsm, .xlsx, .xml, .xqx, .xyze, .xz, .yuv, .zip, .zipx The ransomware will also drop a ransom note named README!!! ALL YOUR FILES HAVE BEEN SECURELY ENCRYPTED!!!.txt that tells you to contact king.ouroboros@protonmail.com or a@savemyfiles.pw for payment instructions. The ransom note saids the following: All your files have been encrypted! The encryption key has been sent online and is not public. You have 10 days time to contact us or you will lose your data. The only way you can recover your files is to buy a decryption key. The payment method is: Bitcoins. The price is: 80$ USD = 0.01184434 Bitcoin For instruction on recovery send an email to: king.ouroboros@protonmail.com We will reply within 48 hours. If we don't reply send email to a@savemyfiles.pw DO NOT USE ANY ANTIVIRUS PROGRAMS. YOU WILL NOT BE ABLE TO RECOVER YOUR FILES! Include this ID in the email you send to us: id The ransomware will also change the desktop background to a "hackerish" type background. The last noticeable change it makes is to create a legal notice that is displayed to the user before they login into the computer. The ransomware developer appears to dislike President Trump based on the name of his Command & Control server's domain and its title. The domain name of the Command & Control server is orangepresident.pw. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan